Risk Based Thinking in ISO FDIS 9001:2015

Question

In 0.3.3 Clause of the standard – it is said that “A positive deviation of the risk can provide an opportunity, but not all positive effects of risk result in opportunities.”  Can you please clarify this statement?

Answer

Thanks for contacting ASQ’s Ask the Experts program.  Good question! As mentioned, ISO FDIS 9001:2015, Clause 0.3.3, which states, “A positive deviation of the risk can provide an opportunity, but not all positive effects of risk result in opportunities”.

In my opinion, this highlights an important point.  That is, not every positive deviation or change of a risk will include opportunity.  Consider the recent changes that have occurred in the Oil and Gas industry.  When the demand for crude oil was high, the availability of various materials and services providers was low, and prices were high.  This situation (availability of materials, services providers and costs) may have been identified as a supply chain risk.

However, the oversupply of crude oil drove prices down.  Crude oil production has dropped to stabilize pricing at the pumps.  This positive deviation of risk has provided an opportunity to crude oil producers, which includes the improved availability of materials, greater selection of services providers as well as more competitive pricing.  So dependent upon where you sit, this deviation of risk may be considered a negative that has decreased product demand and lowered pricing or a positive that has lowered consumer pricing and increased availability.

Consider companies that are providers of upstream services to crude oil producers.  Their risk based thinking may have identified the supply of qualified personnel to perform upstream servicing as a risk.  The decrease in demand for upstream services has increased the pool of qualified personnel.  However, this positive deviation of risk does not represent an opportunity.  The scenarios mentioned above are basic and intended to highlight the point of ISO FDIS 9001:2015, Clause 0.3.3.  There are far more dynamics that should be considered when assessing the deviation of risk versus opportunity.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

Internal Audits

Question

Can the Management Representative be part of the internal auditor team?

Answer

Thank you for contacting ASQ’s Ask the Experts program.  Concerning your question, ISO 9001:2008, clause 8.2.2, only prohibits persons from auditing their own work.  So provided that the Management representative is assigned to audit processes that are outside his/her work responsibilities, there is no other restriction in with regard.   ISO 19011:2011,clause 4.0, “Principals of auditing” as well as clause 6.3.3, “Assigning work to the audit team”, should be reviewed for additional insight and understanding.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

Approved Supplier List

Mr. Pareto Head and Supply Chain comic strip

Question

I would like to know how supplier status in the Approved Supplier List (ASL) should be managed so that there is complete traceabilty.  For instance, a vendor status is changed from approved to not approved in the ASL for reasons other than substandard performance which is documented in an audit report, how should QA document such change to ensure that these changes are tracked. Could QA make changes in the ASL without notifying the Purchasing Department and without any documentation?

Answer

Thanks for contacting ASQ’s Ask the Experts program.  Concerning your questions, about supplier status traceability, and ASL management, the following response is provided.

Dependent on the number of suppliers involved and the availability resources, an organization may choose to utilize a single or combination of methods to monitor supplier performance and supplier status.  These methods may range from using an MS Word or Excel spreadsheet, Access database to a multi-user database.

As you are aware, ISO 9001:2008, Clause 7.4.1, requires the organization to establish criteria for selection, evaluation and re-evaluation of suppliers.  This clause also requires records of results of evaluations to be maintained.  This includes any necessary actions taken as a consequence of the evaluations conducted, such as the removal of a supplier from the ASL or changed approval status.

ISO 9001:2008 does not limit a company’s ability to remove a supplier from the ASL.  This is an internal decision based on the company’s established criteria.  So there could be various reasons for removing a supplier from the ASL.  Likewise, with changing a supplier’s status from pending, approved to not approved.  As mentioned, ISO 9001:2008, Clause 7.4.1, requires records of supplier evaluations to be maintained, and any actions taken as a result of the evaluation to be retained.

The a primary purpose of the ASL is to ensure the placement of purchase orders or contracts are limited to those suppliers that meet the company’s established criteria for supplier selection, evaluation, and re-evaluation.  For this reason, Purchasing must be included in any changes made that may affect their use of the ASL.

Generally speaking, Purchasing is responsible for maintaining and updating the ASL, which includes ensuring the current status of suppliers of products and services are identified.   The company’s internal audit process is typically used to assess Purchasing’s conformance with established criteria for supply chain management.

In summary, I would not recommend that changes be made to any QMS process without the involvement of the QMS process owner and management as applicable.  ISO 9001:2008, Clause 5.4.2, sub b., requires top management to ensure that the integrity of the QMS is maintained when changes are planned and implemented.  If changes are made to the ASL, Purchasing should certainly be involved.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

Auditor’s Responsibilities

Root cause analysis figure

Question

Is it an auditor’s responsibility to seek the “root cause” while conducting an audit?

Answer

An auditor should not seek the root cause for an audit finding. An auditor’s responsibility is to verify compliance with a requirement (e.g. ISO 9001 standard) and determine if there is compliance with the requirement or not. In doing so, there is objectivity in making that assessment.

If an auditor determines the root cause, it introduces subjectivity and potential conflict of interest to the audit process and in correcting an issue. In addition, the auditor may not have the full information about the issue thus the “root cause determined by the auditor” may not correct the non-compliance to the requirement.

Best Regards,

Dilip

Dilip A. Shah ASQ Fellow, ASQ-CQE, CQA, CCT,
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services
Past Chair, ASQ Measurement Quality Division (2012-2013)
Past Member of the A2LA Board of Directors (2006-2014)
Tel: 330-328-4400
Fax: 1-888-226-9533
E-mail: emc3solu@aol.com